feat(waf): continue doc

RoRoJ · RoRoJ · commit af2837f902ae · 2025-02-27T18:01:46.000+01:00
diff --git a/pages/edge-services/how-to/assets/scaleway-add-exclusions.webp b/pages/edge-services/how-to/assets/scaleway-add-exclusions.webp
diff --git a/pages/edge-services/how-to/configure-waf.mdx b/pages/edge-services/how-to/configure-waf.mdx
@@ -48,3 +48,99 @@ WAF is not available for Object Storage bucket origins.
 4. Select a WAF **mode**. Requests judged to be malicious can either be **blocked** and prevented from passing to the Load Balancer origin, or **logged** but allowed to pass.
 
 5. Click **Save**
+
+WAF is enabled and you are returned to your Edge Services pipeline overview. You can disable or edit WAF settings at any time.
+
+## How to set exclusions
+
+Once you have enabled WAF, you can choose to set **exclusions**. Exclusions are a set of filters: requests that match the filters are not evaluated by WAF, and pass directly to your Load Balancer origin.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to set WAF exclusions.
+
+2. In the **WAF** panel, click **+ Add exclusions**. WAF goes into Edit mode.
+
+    <Message type="note">
+    You can only add exclusions **after** you have already enabled WAF.
+    </Message>
+
+    The following screen displays:
+
+    <Lightbox src="scaleway-add-exclusions.webp" alt="A screenshot of the Add exclusions popup in the Scaleway console, with an 'if' box to set a path regex value, and a 'then' box pre-filled to 'Bypass WAF'" /> TODO CHANGE NEW BUTTON?
+
+3. Set up to two filters for this exclusion. You can add either:
+  - One ***Path regex** filter, to match paths of requests to exclude. For example, TODO
+  - One **HTTP method** filter, to match te HTTP methods of requests to exclude. For example, enter one or more of `GET`, `PATCH`, `PUT`, `DELETE` etc. Requests that match any of these methods will be considered to match the HTTP method filter.
+  - One of each of the above (use the **Add filter** button to add the second filter)
+
+  If you include both a path regex and an HTTP method filter in the same exclusion, requests must match both of the filters in order to be excluded.
+
+  Currently, the only action possible to set for matching requests is **Bypass WAF** (matching requests will not be evaluated by WAF and will proceed directly to the Load Balancer origin.) In the future, more actions will be added.
+
+4. Click **Add** to add the exclusion.
+
+  You are returned to your Edge Services pipeline overview.
+
+5. **Optional** Click **Add exclusions** to add more exclusions, if you wish (maximum 100). Follow steps 3 to 4 each time.
+
+6. Click **Save changes** to exit Edit mode and save all the exclusions you added.
+
+## How to edit exclusions
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF exclusions.
+
+2. In the WAF panel, click <Icon name="edit" /> next to the exclusion you want to edit.
+
+3. Make edits to the filters as required. Remember, you cannot add more than one filter of each type (maximum of one path regex and one HTTP method filter per exclusion).
+
+4. Click **Confirm** when you have finished editing.
+
+  You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+
+5. Continue to edit or delete other exclusions as necessary.
+
+6. Click **Save changes** to exit Edit mode and save all your changes.
+
+## How to delete exclusions
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to delete WAF exclusions.
+
+2. In the WAF panel, click <Icon name="delete" /> next to the exclusion you want to delete. 
+
+    WAF goes into Edit mode, and a pop-up displays, asking you to confirm the deletion.
+
+3. Click **Delete**.
+
+You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+
+4. Continue to edit or delete other exclusions as necessary.
+
+6. Click **Save changes** to exit Edit mode and save all your changes and deletions.
+
+## How to edit WAF configuration
+
+You can edit WAF's paranoia level and mode (log or block) at any time.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF.
+
+2. In the WAF panel, click <Icon name="edit" />.
+
+3. Edit the paranoia level and mode as required.
+
+4. Click **Save**.
+
+    Your edits are saved, and you are returned to teh Edge Services pipeline dashboard.
+
+## How to disable WAF
+
+You can disable WAF at any time.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to disable WAF.
+
+2. In the WAF panel, click **Disable WAF**.
+
+    A pop-up displays, informing you that WAF will no longer evaluate, block or log requests to your Load Balancer origin.
+
+3. Click **Disable** to confirm.
+
+    WAF is disabled and you are returned to your Edge Services' pipeline overview.
+
diff --git a/pages/edge-services/reference-content/understanding-waf.mdx b/pages/edge-services/reference-content/understanding-waf.mdx
@@ -0,0 +1,45 @@
+---
+meta:
+  title: Understanding Edge Services Web Application Firewall (WAF)
+  description: Learn how to protect your web applications with Scaleway Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
+content:
+  h1: Understanding Edge Services Web Application Firewall (WAF)
+  paragraph: Learn how to protect your web applications with Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
+tags: edge-services web-application-firewall waf paranoia-levels exclusions
+dates:
+  validation: 2025-03-03
+  creation: 2025-03-03
+categories: 
+  - network
+---
+
+If your Edge Services pipeline points towards a Load Balancer origin, you can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature, for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
+
+## WAF overview
+
+When enabled, WAF protects your Load Balancer backend from potential threats.
+
+It does so by evaluating each request to your Load Balancer origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
+
+For requests judged to be malicious, WAF can either block them from passing to your origin, or simply log them but allow them to pass, depending on the settings you choose.
+
+You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your Load Balancer origin. Exclusion filters are based on the request path and/or HTTP request type.
+
+TODO WAF diagram?
+
+## WAF in an Edge Services pipeline
+
+In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
+
+TODO DIAGRAM
+
+## WAF ruleset and paranoia level
+
+When evaluating requests
+
+## WAF limitations
+
+- WAF is only compatible with Load Balancer origins. It cannot be enabled for Object Storage bucket origins.
+- WAF protects your origin only, and not your cache.
+- You can add a maximum of 100 WAF exclusions
+- 
